Friday, August 26, 2011

Dissecting Java Server Faces for Penetration Testing

Overview

In present times, software security has become an indispensable part of software development life cycle. The penetration testing approach varies with respect to web development frameworks and platforms. With the advent of advanced level of attacks, it has become crucial to raise the standards of penetration testing.An aggressive security testing approach is required to detect the inherent vulnerabilities and to develop robust security solutions in order to thwart sophisticated attacks. Owing to the seamless pace of security research, a plethora of vulnerabilities are being unearthed in web frameworks and software. Thus, for eective penetration testing, the security model and web framework architecture should be dissected appropriately.

OWASP has been used widely as the de facto standard of penetration testing
of web applications and frameworks with its Top 10 attack vectors. However,
the penetration testing methodology should not be constrained to this standard
and must cover the advanced set of attack vectors that should be tested to val-
idate the strength of web frameworks.

This paper is divided into two parts.In the rst part,we discuss the internals of JSF,a Java based web application framework and its inherent security model.In the second part,we discuss about the security weaknesses and applied security features in the JSF.In addition,we also raise a flag on the security issues present in JSF in order to conduct eective penetration testing.